8.2. Example: Combining Container-Managed and Programmatic Security

Listing 8.2 presents a JSP page that augments the internal Web site for hot-dot-com.com that is introduced in Section 7.4. The page shows plans for employee pay. Because of entries in web.xml (Listing 8.3), the page can be accessed only by users in the employee or executive roles. Although both groups can access the page, they see substantially different results. In particular, the planned pay scales for executives is hidden from the normal employees.

Figure 8-1 shows the page when it is accessed by user gates or ellison (both in the employee role; see Listing 7.25). Figure 8-2 shows the page when it is accessed by user mcnealy (in the executive role). Remember that BASIC security provides no simple mechanism for changing your username once you are validated (see Section 7.3). So, for example, switching from user gates to user mcnealy requires you to quit and restart your browser.

Figure 8-1. The employee-pay.jsp page when accessed by a user who is in the employee role.


Figure 8-2. The employee-pay.jsp page when accessed by a user who is in the executive role.


Listing 8.2. employee-pay.jsp
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> 
<HTML> 
<HEAD> 
<TITLE>Compensation Plans</TITLE> 
<LINK REL=STYLESHEET 
      HREF="company-styles.css" 
      TYPE="text/css"> 
</HEAD> 
<BODY> 
<TABLE BORDER=5 ALIGN="CENTER"> 
  <TR><TH CLASS="TITLE">Compensation Plans</TABLE> 
<P> 
Due to temporary financial difficulties, we are scaling 
back our very generous plans for salary increases. Don't 
worry, though: your valuable stock options more than 
compensate for any small drops in direct salary. 

<H3>Regular Employees</H3> 
Pay for median-level employee (Master's degree, eight year's 
experience): 
<UL> 
  <LI><B>2002:</B> $50,000. 
  <LI><B>2003:</B> $30,000. 
  <LI><B>2004:</B> $25,000. 
  <LI><B>2005:</B> $20,000. 
</UL> 

<% if (request.isUserInRole("executive")) { %> 
<H3>Executives</H3> 
Median pay for corporate executives: 
<UL> 
  <LI><B>2002:</B> $500,000. 
  <LI><B>2003:</B> $600,000. 
  <LI><B>2004:</B> $700,000. 
  <LI><B>2005:</B> $800,000. 
</UL> 
<% } %> 
</BODY> 
</HTML>

Listing 8.3. web.xml (For augmented hotdotcom intranet)
<?xml version="1.0" encoding="ISO-8859-1"?> 
<!DOCTYPE web-app PUBLIC 
    "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" 
    "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd"> 

<web-app> 
  <!-- A servlet that redirects users to the home page. --> 
  <servlet> 
    <servlet-name>Redirector</servlet-name> 
    <servlet-class>hotdotcom.RedirectorServlet</servlet-class> 
  </servlet> 

  <!-- Turn off invoker. Send requests to index.jsp. --> 
  <servlet-mapping> 
    <servlet-name>Redirector</servlet-name> 
    <url-pattern>/servlet/*</url-pattern> 
  </servlet-mapping> 

  <!-- If URL gives a directory but no filename, try index.jsp 
       first and index.html second. If neither is found, 
       the result is server specific (e.g., a directory 
       listing). --> 
  <welcome-file-list> 
    <welcome-file>index.jsp</welcome-file> 
    <welcome-file>index.html</welcome-file> 
  </welcome-file-list> 

  <!-- Protect financial plan. Employees or executives. --> 
  <security-constraint> 
    <web-resource-collection> 
      <web-resource-name>Financial Plan</web-resource-name> 
      <url-pattern>/financial-plan.html</url-pattern> 
    </web-resource-collection> 
    <auth-constraint> 
      <role-name>employee</role-name> 
      <role-name>executive</role-name> 
    </auth-constraint> 
  </security-constraint> 
  <!-- Protect business plan. Executives only. --> 
  <security-constraint> 
    <web-resource-collection> 
      <web-resource-name>Business Plan</web-resource-name> 
      <url-pattern>/business-plan.html</url-pattern> 
    </web-resource-collection> 
    <auth-constraint> 
      <role-name>executive</role-name> 
    </auth-constraint> 
  </security-constraint> 

  <!-- Protect compensation plan. Employees or executives. --> 
  <security-constraint>
						<web-resource-collection>
						<web-resource-name>Compensation Plan</web-resource-name>
						<url-pattern>/employee-pay.jsp</url-pattern>
						</web-resource-collection>
						<auth-constraint>
						<role-name>employee</role-name>
						<role-name>executive</role-name>
						</auth-constraint>
						</security-constraint> 

  <!-- Tell the server to use BASIC authentication. --> 
  <login-config> 
    <auth-method>BASIC</auth-method> 
    <realm-name>Intranet</realm-name> 
  </login-config> 
</web-app>

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.148.103.210